Why this patch won't be applied if users are aware of what they're doing ?

Users who are "aware of what they're doing" (i.e. running insecure code) should be more than capable of applying the patch themselves.

If you're a developer, you'd be better off a) fixing or reporting Lizzy bugs (it silently failed for me with pretty much the first PLS file I tested) and b) improving/wrapping its clumsy interface so that it can be used as a generic solution for all folder-like files, including RSS feeds.

No. For development, you can check out the source from the Subversion repo and drop lizzy.jar and some of its dependencies in the lib directory. You probably don't need to add jna.jar (already included), args4j.jar or ffmpeg-java.jar (not needed for playlist parsing), and may not need to add commons-logging.jar. Then start by replacing the hand-coded playlist parsers in PlaylistFolder.java with their Lizzy equivalents. If you get that working with local files, the same functionality can be reused to work with URLs.